Matthew Garrett <mj...@coreos.com> wrote on 07/18/2016 08:39:07 PM:
> > On Jul 18, 2016 17:08, "Stefan Berger" <stef...@us.ibm.com> wrote: > > The point of the TPM is that the device that holds the state of > the PCRs provides the signatures over their state rather than some > other 'entity' whose trustworthiness wouldn't be clear. Admittedly > the device comes with its own set of challenges. > The hypervisor holds the PCR state and also provides the signature. > If the hypervisor is untrustworthy than the state of the virtualised > system can never be verified, since it could simply have faked the > measurements passed to whatever the root of trust is. So the hypervisor will have the key for signing and provide the quote ? Stefan
